policy

package
v3.6.0-alpha.1+incompa... Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 12, 2017 License: Apache-2.0 Imports: 36 Imported by: 0

Documentation

Index

Constants

View Source
const (
	AddRoleToGroupRecommendedName      = "add-role-to-group"
	AddRoleToUserRecommendedName       = "add-role-to-user"
	RemoveRoleFromGroupRecommendedName = "remove-role-from-group"
	RemoveRoleFromUserRecommendedName  = "remove-role-from-user"

	AddClusterRoleToGroupRecommendedName      = "add-cluster-role-to-group"
	AddClusterRoleToUserRecommendedName       = "add-cluster-role-to-user"
	RemoveClusterRoleFromGroupRecommendedName = "remove-cluster-role-from-group"
	RemoveClusterRoleFromUserRecommendedName  = "remove-cluster-role-from-user"
)
View Source
const (
	AddSCCToGroupRecommendedName      = "add-scc-to-group"
	AddSCCToUserRecommendedName       = "add-scc-to-user"
	RemoveSCCFromGroupRecommendedName = "remove-scc-from-group"
	RemoveSCCFromUserRecommendedName  = "remove-scc-from-user"
)
View Source
const (
	RemoveGroupRecommendedName = "remove-group"
	RemoveUserRecommendedName  = "remove-user"
)
View Source
const CanIRecommendedName = "can-i"
View Source
const PolicyRecommendedName = "policy"
View Source
const ReconcileClusterRoleBindingsRecommendedName = "reconcile-cluster-role-bindings"

ReconcileClusterRoleBindingsRecommendedName is the recommended command name

View Source
const ReconcileClusterRolesRecommendedName = "reconcile-cluster-roles"

ReconcileClusterRolesRecommendedName is the recommended command name

View Source
const ReconcileProtectAnnotation = "openshift.io/reconcile-protect"

ReconcileProtectAnnotation is the name of an annotation which prevents reconciliation if set to "true"

View Source
const ReconcileSCCRecommendedName = "reconcile-sccs"

ReconcileSCCRecommendedName is the recommended command name

View Source
const ReviewRecommendedName = "scc-review"
View Source
const SubjectReviewRecommendedName = "scc-subject-review"
View Source
const WhoCanRecommendedName = "who-can"

Variables

This section is empty.

Functions

func CheckStatefulSetWithWolumeClaimTemplates added in v1.5.0

func CheckStatefulSetWithWolumeClaimTemplates(obj runtime.Object) error

CheckStatefulSetWithWolumeClaimTemplates checks whether a supplied object is a statefulSet with volumeClaimTemplates Currently scc-review and scc-subject-review commands cannot handle correctly this case since validation is not based only on podTemplateSpec.

func DiffObjectReferenceLists added in v1.0.7

func DiffObjectReferenceLists(list1 []kapi.ObjectReference, list2 []kapi.ObjectReference) (list1Only []kapi.ObjectReference, list2Only []kapi.ObjectReference)

DiffObjectReferenceLists returns lists containing the items unique to each provided list:

list1Only = list1 - list2
list2Only = list2 - list1

if both returned lists are empty, the provided lists are equal

func GetPodTemplateForObject added in v1.5.0

func GetPodTemplateForObject(obj runtime.Object) (*kapi.PodTemplateSpec, error)

func IsClusterRoleBindingLookupError added in v1.3.0

func IsClusterRoleBindingLookupError(err error) bool

func MergeMaps added in v1.3.0

func MergeMaps(a, b map[string]string) map[string]string

MergeMaps will merge to map[string]string instances, with keys from the second argument overwriting keys from the first argument, in case of duplicates.

func NewClusterRoleBindingLookupError added in v1.3.0

func NewClusterRoleBindingLookupError(rolesNotFound []string) error

func NewCmdAddClusterRoleToGroup

func NewCmdAddClusterRoleToGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdAddClusterRoleToGroup implements the OpenShift cli add-cluster-role-to-group command

func NewCmdAddClusterRoleToUser

func NewCmdAddClusterRoleToUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdAddClusterRoleToUser implements the OpenShift cli add-cluster-role-to-user command

func NewCmdAddRoleToGroup

func NewCmdAddRoleToGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdAddRoleToGroup implements the OpenShift cli add-role-to-group command

func NewCmdAddRoleToUser

func NewCmdAddRoleToUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdAddRoleToUser implements the OpenShift cli add-role-to-user command

func NewCmdAddSCCToGroup added in v1.0.7

func NewCmdAddSCCToGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdAddSCCToUser added in v1.0.7

func NewCmdAddSCCToUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdCanI added in v1.3.0

func NewCmdCanI(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdPolicy added in v0.6.1

func NewCmdPolicy(name, fullName string, f *clientcmd.Factory, out, errout io.Writer) *cobra.Command

NewCmdPolicy implements the OpenShift cli policy command

func NewCmdReconcileClusterRoleBindings added in v1.0.7

func NewCmdReconcileClusterRoleBindings(name, fullName string, f *clientcmd.Factory, out, err io.Writer) *cobra.Command

NewCmdReconcileClusterRoleBindings implements the OpenShift cli reconcile-cluster-role-bindings command

func NewCmdReconcileClusterRoles added in v1.0.4

func NewCmdReconcileClusterRoles(name, fullName string, f *clientcmd.Factory, out, errout io.Writer) *cobra.Command

NewCmdReconcileClusterRoles implements the OpenShift cli reconcile-cluster-roles command

func NewCmdReconcileSCC added in v1.0.8

func NewCmdReconcileSCC(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdReconcileSCC implements the OpenShift cli reconcile-sccs command.

func NewCmdRemoveClusterRoleFromGroup

func NewCmdRemoveClusterRoleFromGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveClusterRoleFromGroup implements the OpenShift cli remove-cluster-role-from-group command

func NewCmdRemoveClusterRoleFromUser

func NewCmdRemoveClusterRoleFromUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveClusterRoleFromUser implements the OpenShift cli remove-cluster-role-from-user command

func NewCmdRemoveGroupFromProject

func NewCmdRemoveGroupFromProject(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveGroupFromProject implements the OpenShift cli remove-group command

func NewCmdRemoveRoleFromGroup

func NewCmdRemoveRoleFromGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveRoleFromGroup implements the OpenShift cli remove-role-from-group command

func NewCmdRemoveRoleFromUser

func NewCmdRemoveRoleFromUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveRoleFromUser implements the OpenShift cli remove-role-from-user command

func NewCmdRemoveSCCFromGroup added in v1.0.7

func NewCmdRemoveSCCFromGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdRemoveSCCFromUser added in v1.0.7

func NewCmdRemoveSCCFromUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdRemoveUserFromProject

func NewCmdRemoveUserFromProject(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveUserFromProject implements the OpenShift cli remove-user command

func NewCmdSccReview added in v1.5.0

func NewCmdSccReview(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdSccSubjectReview added in v1.5.0

func NewCmdSccSubjectReview(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdWhoCan

func NewCmdWhoCan(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdWhoCan implements the OpenShift cli who-can command

Types

type ClusterRoleBindingAccessor

type ClusterRoleBindingAccessor struct {
	Client client.Interface
}

ClusterRoleBindingAccessor operates against cluster scoped role bindings

func NewClusterRoleBindingAccessor

func NewClusterRoleBindingAccessor(client client.Interface) ClusterRoleBindingAccessor

func (ClusterRoleBindingAccessor) CreateRoleBinding

func (a ClusterRoleBindingAccessor) CreateRoleBinding(binding *authorizationapi.RoleBinding) error

func (ClusterRoleBindingAccessor) GetExistingRoleBindingNames

func (a ClusterRoleBindingAccessor) GetExistingRoleBindingNames() (*sets.String, error)

func (ClusterRoleBindingAccessor) GetExistingRoleBindingsForRole

func (a ClusterRoleBindingAccessor) GetExistingRoleBindingsForRole(roleNamespace, role string) ([]*authorizationapi.RoleBinding, error)

func (ClusterRoleBindingAccessor) UpdateRoleBinding

func (a ClusterRoleBindingAccessor) UpdateRoleBinding(binding *authorizationapi.RoleBinding) error

type LocalRoleBindingAccessor

type LocalRoleBindingAccessor struct {
	BindingNamespace string
	Client           client.Interface
}

LocalRoleBindingAccessor operates against role bindings in namespace

func NewLocalRoleBindingAccessor

func NewLocalRoleBindingAccessor(bindingNamespace string, client client.Interface) LocalRoleBindingAccessor

func (LocalRoleBindingAccessor) CreateRoleBinding

func (a LocalRoleBindingAccessor) CreateRoleBinding(binding *authorizationapi.RoleBinding) error

func (LocalRoleBindingAccessor) GetExistingRoleBindingNames

func (a LocalRoleBindingAccessor) GetExistingRoleBindingNames() (*sets.String, error)

func (LocalRoleBindingAccessor) GetExistingRoleBindingsForRole

func (a LocalRoleBindingAccessor) GetExistingRoleBindingsForRole(roleNamespace, role string) ([]*authorizationapi.RoleBinding, error)

func (LocalRoleBindingAccessor) UpdateRoleBinding

func (a LocalRoleBindingAccessor) UpdateRoleBinding(binding *authorizationapi.RoleBinding) error

type ReconcileClusterRoleBindingsOptions added in v1.0.7

type ReconcileClusterRoleBindingsOptions struct {
	// RolesToReconcile says which roles should have their default bindings reconciled.
	// An empty or nil slice means reconcile all of them.
	RolesToReconcile []string

	Confirmed bool
	Union     bool

	ExcludeSubjects []kapi.ObjectReference

	Out    io.Writer
	Err    io.Writer
	Output string

	RoleBindingClient client.ClusterRoleBindingInterface
}

ReconcileClusterRoleBindingsOptions contains all the necessary functionality for the OpenShift cli reconcile-cluster-role-bindings command

func (*ReconcileClusterRoleBindingsOptions) ChangedClusterRoleBindings added in v1.0.7

func (o *ReconcileClusterRoleBindingsOptions) ChangedClusterRoleBindings() ([]*authorizationapi.ClusterRoleBinding, error)

ChangedClusterRoleBindings returns the role bindings that must be created and/or updated to match the recommended bootstrap policy. If roles to reconcile are provided, but not all are found, all partial results are returned.

func (*ReconcileClusterRoleBindingsOptions) Complete added in v1.0.7

func (o *ReconcileClusterRoleBindingsOptions) Complete(cmd *cobra.Command, f *clientcmd.Factory, args []string, excludeUsers, excludeGroups []string) error

func (*ReconcileClusterRoleBindingsOptions) ReplaceChangedRoleBindings added in v1.0.7

func (o *ReconcileClusterRoleBindingsOptions) ReplaceChangedRoleBindings(changedRoleBindings []*authorizationapi.ClusterRoleBinding) error

ReplaceChangedRoleBindings will reconcile all the changed system role bindings back to the recommended bootstrap policy

func (*ReconcileClusterRoleBindingsOptions) RunReconcileClusterRoleBindings added in v1.0.7

func (o *ReconcileClusterRoleBindingsOptions) RunReconcileClusterRoleBindings(cmd *cobra.Command, f *clientcmd.Factory) error

func (*ReconcileClusterRoleBindingsOptions) Validate added in v1.0.7

type ReconcileClusterRolesOptions added in v1.0.7

type ReconcileClusterRolesOptions struct {
	// RolesToReconcile says which roles should be reconciled.  An empty or nil slice means
	// reconcile all of them.
	RolesToReconcile []string

	Confirmed bool
	Union     bool

	Out    io.Writer
	ErrOut io.Writer
	Output string

	RoleClient client.ClusterRoleInterface
}

func (*ReconcileClusterRolesOptions) ChangedClusterRoles added in v1.0.7

ChangedClusterRoles returns the roles that must be created and/or updated to match the recommended bootstrap policy

func (*ReconcileClusterRolesOptions) Complete added in v1.0.7

func (o *ReconcileClusterRolesOptions) Complete(cmd *cobra.Command, f *clientcmd.Factory, args []string) error

func (*ReconcileClusterRolesOptions) ReplaceChangedRoles added in v1.0.7

func (o *ReconcileClusterRolesOptions) ReplaceChangedRoles(changedRoles []*authorizationapi.ClusterRole) error

ReplaceChangedRoles will reconcile all the changed roles back to the recommended bootstrap policy

func (*ReconcileClusterRolesOptions) RunReconcileClusterRoles added in v1.0.7

func (o *ReconcileClusterRolesOptions) RunReconcileClusterRoles(cmd *cobra.Command, f *clientcmd.Factory) error

RunReconcileClusterRoles contains all the necessary functionality for the OpenShift cli reconcile-cluster-roles command

func (*ReconcileClusterRolesOptions) Validate added in v1.0.7

func (o *ReconcileClusterRolesOptions) Validate() error

type ReconcileSCCOptions added in v1.0.8

type ReconcileSCCOptions struct {
	// confirmed indicates that the data should be persisted
	Confirmed bool
	// union controls if we make additive changes to the users/groups/labels/annotations fields
	// or overwrite them as well as preserving existing priorities (unset priorities will
	// always be reconciled)
	Union bool
	// is the name of the openshift infrastructure namespace.  It is provided here so that
	// the command doesn't need to try and parse the policy config.
	InfraNamespace string

	Out    io.Writer
	Output string

	SCCClient kcoreclient.SecurityContextConstraintsInterface
	NSClient  kcoreclient.NamespaceInterface
}

func NewDefaultReconcileSCCOptions added in v1.0.8

func NewDefaultReconcileSCCOptions() *ReconcileSCCOptions

NewDefaultReconcileSCCOptions provides a ReconcileSCCOptions with default settings.

func (*ReconcileSCCOptions) ChangedSCCs added in v1.0.8

ChangedSCCs returns the SCCs that must be created and/or updated to match the recommended bootstrap SCCs.

func (*ReconcileSCCOptions) Complete added in v1.0.8

func (o *ReconcileSCCOptions) Complete(cmd *cobra.Command, f *clientcmd.Factory, args []string) error

func (*ReconcileSCCOptions) ReplaceChangedSCCs added in v1.0.8

func (o *ReconcileSCCOptions) ReplaceChangedSCCs(changedSCCs []*kapi.SecurityContextConstraints) error

ReplaceChangedSCCs persists the changed SCCs.

func (*ReconcileSCCOptions) RunReconcileSCCs added in v1.0.8

func (o *ReconcileSCCOptions) RunReconcileSCCs(cmd *cobra.Command, f *clientcmd.Factory) error

RunReconcileSCCs contains the functionality for the reconcile-sccs command for making or previewing changes.

func (*ReconcileSCCOptions) Validate added in v1.0.8

func (o *ReconcileSCCOptions) Validate() error

type RemoveFromProjectOptions

type RemoveFromProjectOptions struct {
	BindingNamespace string
	Client           client.Interface

	Groups []string
	Users  []string

	Out io.Writer
}

func (*RemoveFromProjectOptions) Complete

func (o *RemoveFromProjectOptions) Complete(f *clientcmd.Factory, args []string, target *[]string, targetName string) error

func (*RemoveFromProjectOptions) Run

type RoleBindingAccessor

type RoleBindingAccessor interface {
	GetExistingRoleBindingsForRole(roleNamespace, role string) ([]*authorizationapi.RoleBinding, error)
	GetExistingRoleBindingNames() (*sets.String, error)
	UpdateRoleBinding(binding *authorizationapi.RoleBinding) error
	CreateRoleBinding(binding *authorizationapi.RoleBinding) error
}

RoleBindingAccessor is used by role modification commands to access and modify roles

type RoleModificationOptions

type RoleModificationOptions struct {
	RoleNamespace       string
	RoleName            string
	RoleBindingAccessor RoleBindingAccessor

	Targets  []string
	Users    []string
	Groups   []string
	Subjects []kapi.ObjectReference
}

func (*RoleModificationOptions) AddRole

func (o *RoleModificationOptions) AddRole() error

func (*RoleModificationOptions) Complete

func (o *RoleModificationOptions) Complete(f *clientcmd.Factory, args []string, target *[]string, targetName string, isNamespaced bool) error

func (*RoleModificationOptions) CompleteUserWithSA added in v1.0.5

func (o *RoleModificationOptions) CompleteUserWithSA(f *clientcmd.Factory, args []string, saNames []string, isNamespaced bool) error

func (*RoleModificationOptions) RemoveRole

func (o *RoleModificationOptions) RemoveRole() error

type SCCModificationOptions added in v1.0.7

type SCCModificationOptions struct {
	SCCName      string
	SCCInterface kcoreclient.SecurityContextConstraintsGetter

	DefaultSubjectNamespace string
	Subjects                []kapi.ObjectReference
}

func (*SCCModificationOptions) AddSCC added in v1.0.7

func (o *SCCModificationOptions) AddSCC() error

func (*SCCModificationOptions) CompleteGroups added in v1.0.7

func (o *SCCModificationOptions) CompleteGroups(f *clientcmd.Factory, args []string) error

func (*SCCModificationOptions) CompleteUsers added in v1.0.7

func (o *SCCModificationOptions) CompleteUsers(f *clientcmd.Factory, args []string, saNames []string) error

func (*SCCModificationOptions) RemoveSCC added in v1.0.7

func (o *SCCModificationOptions) RemoveSCC() error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL